Authorization Bypass Vulnerability Discovered in Amazon QuickSight AI Chat Agents

Fog Security founder Jason Kao identified an authorization bypass vulnerability in Amazon Quick, an AWS business intelligence and agentic AI service, where custom permissions restricting access to AI chat agents were enforced only in the user interface. Direct API calls to the backend bypassed these restrictions, allowing users to interact with explicitly disabled AI chat agents. The issue occurred earlier in 2026, though no specific dates were provided. Enterprises relying on Amazon Quick for access control were affected, as the flaw undermined intended security measures. No CVE ID or patch details were mentioned in the report.